Unrated severityNVD Advisory· Published Nov 26, 2025· Updated Dec 10, 2025
Authentication Bypass by Spoofing in GitLab
CVE-2025-12653
Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.3 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that under specific conditions could have allowed an unauthenticated user to join arbitrary organizations by changing headers on some requests.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
10cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*range: 18.3
- (no CPE)range: >=18.3, <18.4.5 || >=18.5, <18.5.3 || >=18.6, <18.6.1
- osv-coords8 versionspkg:apk/chainguard/gitlab-rails-ce-18.3pkg:apk/chainguard/gitlab-rails-ce-assets-18.3pkg:apk/chainguard/gitlab-rails-ce-assets-fips-18.3pkg:apk/chainguard/gitlab-rails-ce-doc-18.3pkg:apk/chainguard/gitlab-rails-ce-doc-fips-18.3pkg:apk/chainguard/gitlab-rails-ce-fips-18.3pkg:apk/chainguard/gitlab-workhorse-ce-18.3pkg:bitnami/gitlab
< 18.3.6-r2+ 7 more
- (no CPE)range: < 18.3.6-r2
- (no CPE)range: < 18.3.6-r2
- (no CPE)range: < 18.3.6-r2
- (no CPE)range: < 18.3.6-r2
- (no CPE)range: < 18.3.6-r2
- (no CPE)range: < 18.3.6-r2
- (no CPE)range: < 18.3.6-r2
- (no CPE)range: >= 18.3.0, < 18.4.5
Patches
Vulnerability mechanics
References
3- hackerone.com/reports/3370245mitretechnical-descriptionexploitpermissions-required
- about.gitlab.com/releases/2025/11/26/patch-release-gitlab-18-6-1-released/mitrevendor-advisory
- gitlab.com/gitlab-org/gitlab/-/issues/579372mitreissue-trackingpermissions-required
News mentions
1- GitLab Patch Release: 18.6.1, 18.5.3, 18.4.5GitLab Security Releases · Nov 26, 2025